India must handle security demands with caution

Government, said to have placed deadlines on some foreign firms to comply with country's security requirements, has to tread carefully, notes analyst. RIM, Skype and Google say no official word received to date.
Written by Vivian Yeo, Contributor

The Indian government needs to tread carefully in its push to monitor data in the interest of national security, according to an analyst, following reports of the country's mandate that Research In Motion (RIM), Skype and Google must make customer data accessible to local intelligence agencies.

Specifically, measures need to be put in place to ensure the government does not unfairly single out businesses or fall out of line with international standards around data privacy, said Sanchit Vir Gogia, associate research manager at Springboard Research, who is based in New Delhi, India.

Local media last week reported that senior officials of security agencies had voiced concerns at a recent meeting that data running through some networks could not be intercepted or decoded by intelligence officers.

Citing an internal government note, The Hindu Business Line said India's Department of Telecommunications (DOT) will contact representatives of RIM, Skype and Google "to ensure the content going through the telecom service providers is in readable format". These companies will have to comply within 15 days, the report noted, failing which services that do not allow lawful interception on a real-time basis would be blocked or banned.

The article also noted that the Indian government will amend the country's IT laws to make it mandatory for foreign companies to provide data required by Indian law enforcement agencies. The move would force these companies to open up access to their networks or park the data on local servers in India.

This is not the first time such security concerns have surfaced in the country. In 2008, local authorities also pressured RIM to either share the data encryption code used in the Canadian company's BlackBerry devices, or set up servers in India so that the systems can be monitored by Indian security agencies. However, following months of high-level meetings between government officials and RIM executives, the government eventually concluded BlackBerry devices did not pose any security threat.

Need to tidy up house
In an e-mail interview, Gogia noted it was "debatable" whether or not the government's demands are reasonable.

"With the increase in terrorist attacks and other unscrupulous activities in the country, including stealing of personal information in the local IT industry, the government surely has the right to act professional and demand enough rights to monitor data in the interest of national security.

"However, this access needs to be in accordance to international standards and policies to ensure a fair play for the vendors providing these services," he pointed out.

For instance, as the global outsourcing hub, India needs to amend its IT laws to" sync well with global best practices and instill a higher level of confidence with those doing business in the country".

Yet, one of the obstacles to India's adoption of international standards is the time lag in passing important amendments to IT laws, said Gogia. The Data Protection Bill 2006, for instance, which is expected to solve issues around privacy and compliance, has still not been passed by the Indian Parliament.

In addition, the government "needs to be careful" in targeting service providers and should not only focus on the chosen few such as RIM or Google.

"There are a lot of providers or offerings in the marketplace that provide similar services and have not been mentioned or spoken about by the government," the analyst noted. "It's [important] for the government to take a neutral standpoint and not be seen as acting against a chosen few, thereby, alienating them and spreading a wrong message in the world economy."

"Interestingly, while [the] Blackberry is being chiefly noted by the government as a threat to national security, its access by terrorist groups is highly questionable... Remember that it's a corporate network and only validated users have access to this service," Gogia added.

According to The Hindu Business Line report, authorities had also raised security concerns about the services offered by Indian companies Tata Teleservices and Reliance Communications.

No word from government, say vendors
While it is not clear if the Indian government will indeed put companies on a 15-day compliance notice, the foreign players mentioned in the reports told ZDNet Asia that they have yet to receive any official correspondence.

A Singapore-based Skype spokesperson noted that the company has "not received any confirmation or directive from local authorities in India on this matter", while a representative for RIM indicated the same.

A Gurgaon, India-based Google spokesperson said in an e-mail: "We have not seen any directive from DOT or any other ministry on this and therefore, are unable to comment on the issue."

Editorial standards